Allow find on the executor

Allow the "find" module to run on the executor under allowed paths.
We allow fileglob filter, so this seems like a natural related
function.

Change-Id: Iab4fe4f9ef4efed38c38981f4f13e90ff0c1a76f

releasenotes/notes/find-executor-cd3f110245c499c0.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The ``find`` module is now allowed to run on the executor.

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_bad.yaml

@@ -0,0 +1,5 @@
+- hosts: localhost
+  tasks:
+    - name: Find in a bad location
+      find:
+        paths: '/tmp/'

tests/fixtures/config/ansible/git/org_plugin-project/playbooks/find_local_good.yaml

@@ -0,0 +1,5 @@
+- hosts: localhost
+  tasks:
+    - name: Find in a good location
+      find:
+        paths: '{{ zuul.executor.work_root }}'

tests/unit/test_v3.py

@@ -2841,6 +2841,8 @@ class FunctionalAnsibleMixIn(object):
             ('file_local_bad', 'FAILURE'),
             ('fileglob_local_good', 'SUCCESS'),
             ('fileglob_local_bad', 'FAILURE'),
+            ('find_local_good', 'SUCCESS'),
+            ('find_local_bad', 'FAILURE'),
             ('zuul_return', 'SUCCESS'),
             ('password_create_good', 'SUCCESS'),
             ('password_null_good', 'SUCCESS'),

zuul/ansible/base/action/normal.py

@@ -103,3 +103,15 @@ class ActionModule(normal.ActionModule):
             path = self._task.args.get(arg)
             if path:
                 paths._fail_if_unsafe(path)
+
+    def handle_find(self):
+        '''Allow find module on localhost if it doesn't traverse unsafe files.
+
+        The :ansible:module:`find` can be used from the executor to
+        gather a list of files.
+        '''
+        find_paths = self._task.args.get('paths')
+        if not isinstance(find_paths, list):
+            find_paths = (find_paths,)
+        for path in find_paths:
+            paths._fail_if_unsafe(path)